Adding DS record to parent

Kevin Oberman kob6558 at gmail.com
Fri Feb 24 16:55:39 UTC 2012 

On Fri, Feb 24, 2012 at 8:19 AM,  <WBrown at e1b.org> wrote:
> Bill Owens <owens at nysernet.org> wrote on 02/24/2012 11:02:50 AM:
>
>> I haven't heard of NS supporting DNSSEC, and there haven't been any
>> good resources to find a registrar who *does*, but this popped up
> recently:
>>
>> http://www.icann.org/en/topics/dnssec/deploy-en.htm
>>
>> . . . and NS isn't on that list. FWIW, DynDNS does a fine job
>> (that's who we've chosen), GoDaddy works okay too (though I think
>> there are many other reasons to avoid using them) and I've heard
>> good things about GKG.
>
> Our domains are mostly registered through Network Solutions.  I've little
> experience with the others you mention, other than GoDaddy screwing up
> domains years ago by changing the domain's name servers to point to theirs
> instead of the ones we operate for our school district customers.
>
> The Public Interest Registry who runs .ORG has a list of registrars that
> support DNSSEC at
> http://www.pir.org/get/registrars?order=field_dnssec_value&sort=desc but
> they helpfully note "This does not indicate whether the registrar has
> enabled a DNSSEC service for the registrants. Please contact the
> registrars directly for their DNSSEC service."  Apparently, NS falls into
> this category.
>
> Given that they were the original (and for a long time ONLY) registrar,
> you would think they would be an industry leader.  I'm drawing a different
> conclusion.
>
>
>
>
>
> Confidentiality Notice:
> This electronic message and any attachments may contain confidential or
> privileged information, and is intended only for the individual or entity
> identified above as the addressee. If you are not the addressee (or the
> employee or agent responsible to deliver it to the addressee), or if this
> message has been addressed to you in error, you are hereby notified that
> you may not copy, forward, disclose or use any part of this message or any
> attachments. Please notify the sender immediately by return e-mail or
> telephone and delete this message from your system.

We have several signed domains with NS including our main 'es.net',
but there was no easy way to get this done. We were fortunate to be
able to contact engineers at NS who worked with us to get our DS
records installed, all as a manual process. From the confusion caused
by having two DS records for each domain (with different hash types),
it is clear that they really were pretty clueless at that time (about
a year ago).

It took only a few days for .net and .com entries. .org took weeks due
to NS not being familiar with the mechanisms needed to enter DS
records there. I suspect that the .com and .net entries were done
manually as .com and .net had just started accepting DS records at
that time. .org had been handling them for a while and had procedures
for handling these in place and, ironically,  that is what complicated
things.

On my semi-retirement, I passed support for our DNS on to other, very
capable hands who are very knowledgeable on DNSSEC, but I suspect that
a KSK roll will prove 'interesting'.
-- 
R. Kevin Oberman, Network Engineer
E-mail: kob6558 at gmail.com

More information about the bind-users mailing list